[MAGNOLIA-8150] CsrfTokenSecurityFilter could create cookie only for text/html requests Created: 10/Aug/21  Updated: 01/Nov/21  Resolved: 01/Nov/21

Status: Closed
Project: Magnolia
Component/s: core
Affects Version/s: 6.2.11
Fix Version/s: None

Type: Improvement Priority: Neutral
Reporter: Federico Grilli Assignee: Unassigned
Resolution: Obsolete Votes: 1
Labels: artt, csrf
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Relates
relates to MAGNOLIA-8209 CSRF Header sent with all responses Closed
relation
is related to MAGNOLIA-8142 Non ASCII characters in URIs interfer... Closed
is related to MAGNOLIA-8209 CSRF Header sent with all responses Closed
is related to MAGNOLIA-8162 Image URI with spaces cause CsrfToken... Closed
is related to MGNLIMG-231 Bypass CsrfTokenSecurityFilter for im... Closed
Template:
Acceptance criteria:
Empty
Task DoD:
[ ]* Doc/release notes changes? Comment present?
[ ]* Downstream builds green?
[ ]* Solution information and context easily available?
[ ]* Tests
[ ]* FixVersion filled and not yet released
[ ]  Architecture Decision Record (ADR)
Date of First Response:

 Description   

The CSRF cookie is basically used for protecting posting forms. REST requests are already bypassed. We could generate the cookie only for text/html and avoid creating it for all other types of resources.

Some discussion around a possible implementation (not so trivial at a first glance) https://git.magnolia-cms.com/projects/MODULES/repos/imaging/pull-requests/38/overview?commentId=83266



 Comments   
Comment by Michael Duerig [ 01/Nov/21 ]

This is part of MAGNOLIA-8209 now.

Generated at Mon Feb 12 04:30:06 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.